About 5 years after the disaster around npm and left-pad, I wonder
- how many dependencies on packages or libraries your software has,
- how many of them have a good or excellent test suite,
- how many of these you are in full control of determining the exact version used and the location it is uses from.
The disaster was well phrased in [WayBack] NPM & left-pad: Have We Forgotten How To Program? – David Haney – Blogging my experiences as a developer and engineering manager. of which these topics:
- Functions are not packages
- Third party problems
- Strive for few dependencies
and these quotes:
- React, Babel, and a bunch of other high-profile packages on NPM broke. The reason they broke is rather astounding:A simple NPM package called left-pad that was a dependency of their code.
- some of the things that I observed:
- There’s a package called isArray that has 880,000 downloads a day, and 18 million downloads in February of 2016. It has 72 dependent NPM packages. Here’s its entire 1 line of code:
return toString.call(arr) == '[object Array]';
- There’s a package called is-positive-integer (GitHub) that is 4 lines long and as of yesterday required 3 dependencies to use. The author has since refactored it to require 0 dependencies, but I have to wonder why it wasn’t that way in the first place.
- A fresh install of the Babel package includes 41,000 files
- A blank jspm/npm-based app template now starts with 28,000+ files
- There’s a package called isArray that has 880,000 downloads a day, and 18 million downloads in February of 2016. It has 72 dependent NPM packages. Here’s its entire 1 line of code:
- frameworks create a “core” library of basic functionality. Such a library is vetted by the creators of the language and pretty much guaranteed to be correct and bug-free.
- if you cannot write a left-pad, is-positive-integer, or isArray function in 5 minutes flat (including the time you spend Googling), then you don’t actually know how to code. Any of these would make a great code screening interview question to determine whether or not a candidate can code.
- Take on a dependency for any complex functionality that would take a lot of time, money, and/or debugging to write yourself. Things like a database access layer (ORM) or caching client should be dependencies because they’re complicated and the risk of the dependency is well worth the savings and efficiency.
- ask the React team how well their week has been going, and whether they wish they had written those 11 lines for left-padding a string themselves.
Via: [WayBack] “There’s a package called isArray that has 880,000 downloads a day, and 18 million downloads in February of 2016. It has 72 dependent NPM packages. Here… – Elke Stangl (elkement) – Google+
Related:
- [Archive.is] development ecosystems with lots of dependencies – Google Search
- [WayBack] left-pad.io
- [WayBack] How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript • The Register
–jeroen